What is Tailgating?
Tailgating, also known as piggybacking, is one of the most common ways for hackers and other unsavory characters to gain access to restricted areas. After all, it‘s easier to just follow an authorized person into a company than breaking into it.
How does tailgating work?
Tailgating can range from simply following a person through doors that have access locks to putting on a disguise to trick people into opening that door. Delivery people, repair men, people struggling with big boxes, people who look busy and important… the list of ways to fool others into opening or holding doors are endless. As soon as we think we’ve figured out the methods of fraudsters they change them again. That’s why we need constant security awareness training.
Tailgating is a fairly simple form of social engineering, a tactic that relies on specific attributes of human decision-making known as cognitive biases. These are also known as “bugs in the human hardware” and can be exploited in various combinations. When tailgating, the attacker relies on the other person following common courtesy, either refraining from challenging them or even holding the door. When you’re training people not to follow these social norms you are really training them to go against everything they’ve been thought, not such an easy job.
What‘s the danger of tailgating?
Hackers and fraudsters who want to gain access to a company can be after different things. Some simply want to steal valuable equipment such as laptops and smart devices. Often this equipment has sensitive information stored on it so the theft is twofold. Some could be hoping to insert spyware into ports of specially targeted computers or routers to steal information or money. Others could be trying to gain access to the company‘s server room to create a backdoor to the entire network and steal data and company secrets. And then there are those who simply want to cause harm, by violence, vandalism, corporate espionage or other means.
Tailgating can cause a lot of harm and in many ways. From simple loss of equipment to financial loss and severe damage to the company‘s reputation, or even physical harm to people. Strong awareness culture often starts with teaching employees that it’s their responsibility to challenge people who do not belong.
Tailgating and responsibility
The problem with tailgating is that people often don’t realize it’s happening. That they, as authorized personnel, are responsible for stopping people from following them through open doors. Or that they should think twice before holding those doors. Fraudsters, thieves and hackers all rely on either the kindness of strangers or lack of awareness and responsibility. They also know that confronting strangers and denying them access usually makes people uncomfortable. This is especially true for big corporations.
We‘re guessing that most everyone would hold the door for a person who’s obviously struggling with a heavy box. Most of us are courteous, well meaning people. But not thieves and hackers! They rely on our kindness and use it to gain access to our companies, our computers or servers, and our data.
Being kind to strangers is usually a good thing. But when it comes to the safety and privacy of our workplace we should think twice and be on guard.
How to prevent tailgating
Both organisations and their employees have a lot of ways to minimize the risk of tailgating. Companies will need to put strong policies in place and install access controls for entrances as well as specially restricted areas. Then they will need to train their employees to be aware of their surroundings and take responsibility at their workplace. Employees are stakeholders when it comes to security issues too.
Larger organisations are especially at risk when it comes to tailgating. They have many employees, often on many floors or even many buildings, so not everyone knows everyone. In addition they often use freelance workers and have large offices with more than one entrance. All this makes it easier to tailgate and reduces the chances of employees challenging a stranger.
Here are a few basic things organisations can do to prevent tailgating:
- Use smart cards and badges
- Hire security guards
- Use bio-metrics as access control
- Install turnstiles
- Install access controls with pin numbers
- Require visitors to wear badges
- … use a combination of any, or all, of those things
Last but not least, organisations will need to train their employees to use and respect the access controls. They need to be constantly reminded that it is part of their responsibility to challenge people who do not belong and to stop tailgaters in their tracks when they try to follow them through open doors. After all – the safest and most expensive security equipment is useless if employees simply hold the door open to anyone.
This is where security awareness training comes in. Employees will need continuous reminders on various security topics to keep it top of mind.
Here are a few things every organisation should teach their employee to prevent tailgating:
- Don’t hold the door for anyone, even if they’re in uniform
- Stop people when they attempt to follow you into access restricted areas
- Challenge people in the work space if you don’t know them
- Challenge people who are not wearing a badge
- Report suspicious characters to security
- Direct guests who say they have a meeting to the reception
- Close doors you know should be closed (if they don’t close properly, report it to security)
- Be constantly vigilant and aware of your surroundings
- Be aware that thieves and hackers could be disguised as repairmen or delivery people
- Former employees should not be allowed unchecked access within the company, even if they are your friends
How big is the risk of tailgating?
According to a survey done by Boon Edam Inc. over 70% of enterprise security executives believed that they were vulnerable to a security breach by tailgating. Respondents also believed that the cost of a tailgating breach could range from 150.000$ to “too high to measure”.
Some famous news of tailgating security breaches are, for instance, when a dismissed resident at Mount Sinai St. Luke’s Hospital in New York City, gained access to five operating rooms over two days to observe procedures. After dressing up in scrubs she tailgated an employee who’d used their identification badge to gain access to the operating room. She also slipped in as groups of operating room staff held the door open and tagged along behind employees during shift changes. This is one of the reasons why security awareness for the health care industry is so important. Fortunately this tailgater only observed the operations and did not participate in patient care in any way. Regardless, it was a significant breach in security and a big blow for the hospital’s reputation.
In spring 2019 a Chinese national was discovered in a restricted area at Trump‘s Mar-a-Lago resort. The individual was carrying a USB device containing malware. Reports indicate that the trespasser managed to confuse security personnel who thought she was related to a club member with the same last name. She also showed the security personnel an invitation she said was for a “United Nations Friendship event”. The invitation was in Chinese which none of the security staff could read.
From financial enterprises and hospitals to the President of the United States, tailgaters will stop at nothing to gain access to places where they don’t belong. It is our job to follow security protocols and make sure access restrictions work.